Original comment follows:
In my view, this would just DRM-ize everything on the web. Of course, Cloudflare and Fastly don't talk about this much, and Cloudflare keeps assuring you'll still get captchas if device attestation fails or is unsupported. But realistically, once all Microsoft, Google and Apple implement it in their devices, there isn't much of a reason to keep accepting non-attested devices. You can already see where this is starting to go - if you're using Linux/BSD or another niche OS, congratulations, you can't submit forms any more. And since device verification would become extremely cheap to perform this way, you'd also see websites protected entirely by this tech, effectively locking out Linux/BSD users. The Cloudflare article also talks about how, at least in the case of Apple, they'd run something like a posture assessment to confirm that your device components are genuine. I can also see this new tech locking out users of non-OEM repairs. This is a much bigger deal than what it seems like on the surface, and I'm genuinely scared about how this one simple move dwarfs all of the "evil" things that big tech has done so far.
https://www.ietf.org/archive/id/draft-private-access-tokens-...
Once it is implemented in windows it will quickly, if not immediately, be followed by locked bootloaders on any device available in brick and mortar stores or the big online sellers and being locked out from using attestation if you are not using an OS from Apple, MS or Google. We may see a brief window where some select linux distros get to grovel to MS to get signed, but that will quickly go away.